Creating restricted SFTP user accounts on Ubuntu is an essential task for system administrators who want to limit user access to certain directories. This article will guide you through the process of creating such accounts using OpenSSH Server.
To create restricted SFTP user accounts on Ubuntu, you need to install and configure OpenSSH Server. After that, you can create a new group for SFTP-only users, create a new user and add them to the group, set the user’s home directory, and restart the SSH service. This setup allows users to access only their home directory and prevents them from executing commands on the server.
Prerequisites
Before we start, ensure that you have the following:
- An Ubuntu system.
- Sudo or root access to the system.
Installing OpenSSH Server
OpenSSH server is a free utility for remote operations. To install it, open your terminal and run the following command:
sudo apt-get install openssh-serverThis command uses apt-get, the package handling utility in Ubuntu, to install the OpenSSH server.
Configuring OpenSSH Server
After installing OpenSSH, we need to configure it to restrict user access. The main configuration file for OpenSSH is located at /etc/ssh/sshd_config. Open this file using a text editor such as nano:
sudo nano /etc/ssh/sshd_configIn this file, find the line Subsystem sftp /usr/lib/openssh/sftp-server and change it to Subsystem sftp internal-sftp. This change sets the SFTP server to use the internal-sftp subsystem, which allows for chroot operations.
Next, add the following lines at the end of the file:
Match Group sftp-only
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding noHere’s what each line does:
Match Group sftp-only: This line matches users who are part of thesftp-onlygroup.ChrootDirectory %h: This line restricts users to their home directory (%h).ForceCommand internal-sftp: This line forces the connection to use the SFTP protocol.AllowTcpForwarding no: This line disables TCP forwarding, which is not needed for SFTP.
After making these changes, save and close the file.
Creating SFTP-Only Group and User
Now, we will create a new group for SFTP-only users:
sudo addgroup sftp-onlyNext, create a new user and add them to the sftp-only group:
sudo adduser sftpuser
sudo usermod -G sftp-only sftpuserIn these commands, sftpuser is the username of the new user. You can replace it with any username you prefer.
Setting the Home Directory
To restrict the user’s access to their home directory, set the home directory as follows:
sudo usermod -d /path/to/home/directory sftpuserReplace /path/to/home/directory with the actual path to the user’s home directory.
Restarting the SSH Service
Finally, restart the SSH service for the changes to take effect:
sudo service ssh restartConclusion
You have now successfully created a restricted SFTP user account on Ubuntu. This user can only access their home directory and cannot execute any commands on the server. This setup is ideal for sharing files securely with external users.
Remember to replace sftpuser and /path/to/home/directory with the actual username and path in your environment. Always test the setup before sharing the details with the end user.
For more information on OpenSSH, visit the official OpenSSH documentation.
SFTP stands for Secure File Transfer Protocol. It is a network protocol that allows for secure file transfer and remote file management over a secure SSH connection.
Creating restricted SFTP user accounts allows you to limit user access to specific directories, providing an additional layer of security. This is useful when you want to share files securely with external users or restrict access to sensitive data.
Yes, you can create multiple restricted SFTP user accounts by following the steps outlined in the article for each user. Each user will have their own home directory and restricted access to their respective directories.
To change the home directory for an SFTP user, you can use the usermod command with the -d option followed by the desired directory path. For example, sudo usermod -d /new/home/directory sftpuser will change the home directory for the user sftpuser to /new/home/directory.
No, restricted SFTP users cannot execute commands on the server. They are limited to file transfer and remote file management operations within their designated home directory. The configuration in the article ensures that the user’s SSH session is limited to the SFTP protocol.
